A serious privacy issue in iPhone that could be exploited by iOS app developers to silently take your photos and record your live video by enabling cameras.
Do you use an iPhone? If yes, there is probably something that you need to know about it!
The Austrian developer and Google engineer, Felix Krause, has discovered a serious privacy issue in Apple iPhone that could be exploited by iOS app developers to silently take your photos and record your live video by enabling both front and back camera.
The iPhone users will never receive any notification from the device, technical details were shared by Krause in a blog post published Wednesday.
“iOS users often grant camera access to an app soon after they download it (e.g., to add an avatar or send a photo). These apps, like a messaging app or any news-feed-based app, can easily track the users face, take pictures, or live stream the front and back camera, without the user’s consent.” wrote Krause.
According to Krause, the issue is the direct consequence of the way Apple software handles camera access. Today almost any application, including WhatsApp, Facebook, and Snapchat, requests access to your camera to allow users to take a photo within the app.
Once the users granted camera permission, a developer could perform the following operations:
- access both the front and the back camera
- record you at any time the app is in the foreground
- take pictures and videos without telling you
- upload the pictures/videos it takes immediately
- run real-time face recognition to detect facial features or expressions
It is enough to enable camera access just one time when the app asks for permission to gain full access to the camera without requiring any LED light or notification, it is scaring.
“All without indicating that your phone is recording you and your surrounding, no LEDs, no light or any other kind of indication.” continues the developer.
Krause developed a proof-of-concept app only to demonstrate how a malicious app could silently abuse such permissions to take pictures every second or even live stream video of the surrounding environment.
“This project is a proof of concept and should not be used in production. The goal is to highlight a privacy loophole that can be abused by iOS apps.” continues the developer.
Below a video PoC of the issue, which shows how the demo app takes photographs of the users using it every second. The app developed by the expert uses a facial recognition system to detect the owner is using it.
Krause urges Apple to introduce a way to mitigate the issue, for example by granting only temporary permissions to access the camera.
Another way to mitigate the issue is the implementation a warning light or a mechanism to notify to the iPhone owner that their camera in currently used by an application.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.